Re: Fine-tuning a rule

["Michael Scheidell" <scheidell () secnap net>]

----- Original Message -----
From: "Shane Hickey" <shane () howsyournetwork com>
Newsgroups: local.snort.users
Sent: Friday, May 17, 2002 3:34 PM
Subject: [Snort-users] Fine-tuning a rule


> Hello,
> I'm receiving a large amount of false-positives on this rule
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts
> access"; flags:A+; uricontent:"/scripts/"; nocase;
> classtype:web-application-activity; sid:1287; rev:2;)
>
> On all my false positives, the scripts directory is actually beneath
> another directory /test/.  I was wondering if there's a way to pass
> traffic that is accessing /test/scripts/ and still alert me about any
> other /scripts/ http traffic?

add this rule ABOVE the previous one ?
pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 flags:A+;
uricontent:"/test/scripts/"; nocase;)
--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell () secnap net
http://www.secnap.net
> Thanks,
>
> Shane
>
>
> _______________________________________________________________
>
> Hundreds of nodes, one monster rendering program.
> Now that's a super model! Visit http://clustering.foundries.sf.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---


_______________________________________________________________

Hundreds of nodes, one monster rendering program.
Now that’s a super model! Visit http://clustering.foundries.sf.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users